Since the introduction of the federal Health Insurance Portability and Accountability Act (HIPAA), many people presume, incorrectly, that all or most of the medical information that they have provided to medical professionals, insurance companies or employers is protected.

The fact of the matter is that individuals often trade confidentiality in return for things such as insurance coverage, employment opportunities, government benefits, or work site health and safety investigations.

2. What types of health and medical information exist?

Health professionals create medical records when they treat patients that generally include medical history, lifestyle details (such as smoking or involvement in high-risk sports), and family medical history. These records may also contain lab results, medications prescribed and surgeries.

Health and medical information is also collected from individuals when they apply for disability, life, or accident insurance through private insurers or government programs.

Additionally, individuals often generate health and medical-related information themselves via online research, joining support groups and using mobile apps , (zocdoc.com for example has the user provide significant medical details before scheduling an appointment with one of their participating providers).

3. Who may have access to health and medical information?

a. HIPAA covered entities and their business associates

Healthcare providers, health plans, and healthcare clearinghouses have access to medical records and health information but are also required to comply with HIPAA.

b. Insurance companies

Insurance companies usually require individuals to release records before they will issue a policy or make a payment under an existing policy. Most insurance companies must comply with HIPAA as health plans, but certain types of insurers are not required to comply with HIPAA.

The Medical Information Bureau (MIB Group, Inc.) is a database of medical information shared by life and health insurance companies.

The MIB is subject to HIPAA as a business associate of its member health insurance companies.

MIB files do not include the totality of one’s medical records as held by a health care provider. Rather it consists of codes signifying certain health conditions.

A decision on whether to insure is not supposed to be based solely on the MIB report.

The MIB does not have a file on everyone, and won’t have information on someone who has not applied for individually underwritten life or health insurance in the last seven years. However, people who believe they have an MIB file will want to be sure it is correct.

Individuals can obtain a copy for free once a year by calling (866) 692-6901 or ordering it through MIB’s website.

d. Prescription drug database companies

Two companies, Milliman (IntelliScript) and Ingenix (MedPoint) buy prescription information from pharmacy benefit managers (PBMs) and compile it into reports. They sell these prescription drug purchase history reports to insurance companies.

e. Financial institutions

Financial transactions are likely to reveal information about where an individual goes for healthcare. This kind of information is not covered under HIPAA. However, the federal Gramm-Leach-Bliley Act (GLB) requires financial institutions to notify individuals of information-sharing practices and provide an opt out for certain third party sharing.

f. Government agencies

Government agencies on all levels (local, state, and federal) may request or receive certain types of health or medical information. For example, government agencies may request medical records or information to verify claims a person makes through Medicare, MediCal, Social Security Disability, and Workers Compensation.

g. Educational institutions

Educational institutions may have records that contain vaccination histories, information about physical examination for sports, counseling for behavioral problems, and records of visits to the school nurse among other things. Privacy of education records is under the control of the U.S. Department of Education and the Family Educational Rights and Privacy Act (FERPA). HIPAA does not cover education records. For more information about FERPA, visit the Department of Education’s website on FERPA.

h. The court system and law enforcement

When a person is involved in litigation, an administrative hearing, or a worker’s compensation hearing and his or her medical condition is an issue, the relevant parts of a medical record may be introduced in court.

In addition, law enforcement officials may receive health information in situations such as an instance of abuse, a death, a gunshot or stabbing.

If records are for a legal proceeding, they become a part of public record. Individuals should consult legal counsel for more information.

i. Employers

Employers usually obtain medical information about their employees by asking employees to authorize disclosure of medical records. This can occur in several ways not covered by HIPAA. Depending on state law, employers may have to establish procedures to keep employee medical records confidential. Employees should ask prospective employers about the company’s medical records privacy policy.

j.Marketers and data brokers

Health- and medical-related information may be passed on to marketers and data brokers when individuals participate in informal health screenings or otherwise voluntarily release information in a situation that doesn’t fall under HIPAA or stronger state law.

k. Websites and mobile applications

A tremendous amount of health-related information is available on the Internet. Many sites and discussion forums are available for individuals to share information on specific diseases and health conditions. Websites dispense a wide variety of information, but they also collect a wide variety of information. There is no guarantee of confidentiality when a site isn’t subject to medical privacy laws (and most aren’t).

Personal Health Records (PHRs). PHRs allow consumers to store, manage, and share their health information. Individuals manage their own PHRs which is what distinguishes them from electronic health records (EHR) that a health care provider controls and populates. Various companies offer PHRs, and features vary. However many PHRs offer individuals the ability to store and transmit medical history information, prescription information, test results and imaging, drug alerts, immunization records, and treatment plans.
These types of aggregated electronic health records pose a number of privacy risks, here are a few:

HIPAA and/or state health privacy laws may not apply to a PHR.

The website operator could be asked to turn over customer records as part of a legal proceeding.

It is important for individuals to understand HIPAA’s limits. The best policy is ask questions and do a little research before revealing health or medical information. There are many instances in which people create or release health or medical information and there are no applicable privacy laws. In these cases, it is best to look for and understand any relevant privacy policies the person or company has agreed to follow.

The bottom line is become an informed medical consumer. For the sake of expediency, we often provide access to our health information and that may be a mistake that cannot be corrected should that data become involved in any sort of civil or criminal proceeding or funds (disability, death benefits…) determination. Research before you release your private medical records.

Who. What.

For the trial law and legal community from a private investigator's perspective.
The Beacon Bulletin is the weekly newsletter authored and published by our parent company, Beacon Network Investigations, LLC (BNI).
We're a private investigation company. We DON'T dispense legal advice, respond to anonymous queries or black hat your enemies for you. (Internally, however, points are alloted to our favorite subtly phrased compliments.)
We DO hope to inform. That's our business.